Legal ยท Privacy

Privacy Notice

This notice explains what personal data Tapped handles, why we handle it, how long we keep it, and the rights you have over it. It covers everyone who interacts with our services, platform customers, sub-merchants, cardholders, website visitors, applicants, and business contacts.

Effective 18 April 2026
Supersedes 04 November 2025
Controller Tapped Pte Ltd, Singapore
Also available as PDF on request

Who we are

In this notice, “Tapped” means Tapped Pte Ltd, registered in Singapore at 1 Raffles Place, Level 24, Singapore 048616, together with its group companies in the Philippines (Tapped Payments Philippines Inc.), Malaysia, Indonesia, Thailand, Vietnam, Hong Kong, and Japan. The group company that acts as controller for your data depends on which product you use; a jurisdiction map is at the end of this notice.

Tapped is a business-to-business payments infrastructure provider. We process personal data on two footings:

  • As a controller for our own business operations, website visitors, prospective customers, business contacts, job applicants, and staff of our platform customers.
  • As a processor for our platform customers, the sub-merchant records they collect, the cardholder data that flows through our authorisation path, and the settlement records we produce on their behalf.

Scope of this notice

This notice covers personal data we handle as a controller. Where Tapped acts as a processor for a platform customer, the platform’s own privacy notice applies; ours is available separately as an addendum to our Data Processing Agreement (DPA).

If you are a cardholder who made a payment through a business that uses Tapped, the merchant you paid is the controller for your data. You should contact them first. Tapped will of course support them in responding to you.

Data we handle

We handle different categories of data depending on how you interact with us.

Platform customer contacts

  • Identification, name, role, work email, work phone, office address.
  • Commercial, company name, volume indications, contract terms, invoicing details.
  • Communication, correspondence with our teams, meeting notes, support tickets.
  • Device and usage data from our dashboard and developer portal, IP address, user agent, session timing, feature usage.

Sub-merchant records (processor capacity)

  • Business registration documents, UBO disclosures, director identity documents, tax IDs, bank details, operating address, website, risk evidence.

Cardholder & transaction data (processor capacity)

  • Encrypted PAN, expiry, cardholder name (where present), authorisation results, and the metadata the merchant or platform attaches to the transaction.

Applicants

  • CV, cover letter, interview notes, reference checks, right-to-work evidence where required by law.

Website visitors

  • Page views, IP address, referrer, approximate location, and (with consent) analytics cookies. See the Cookies section.

Why we handle it

We only handle personal data for a defined purpose tied to running Tapped as a payments business. The principal purposes are:

  1. Providing the services in our contract with the platform customer, authorising card transactions, onboarding sub-merchants, settling funds, generating reports.
  2. Meeting our legal obligations, scheme rules, central-bank reporting, anti-money-laundering, tax, sanctions screening.
  3. Running a business, invoicing, collections, audit, customer support, product improvement (on aggregated data).
  4. Security, fraud detection, abuse prevention, access control, breach response.
  5. Hiring, evaluating applicants and operating our careers programme.
  6. Communication, responding to requests, sending service announcements, and (with consent) sending marketing communications you can unsubscribe from at any time.

Lawful basis

Where GDPR or a substantively equivalent law applies, we rely on the following bases:

BasisUsed for
ContractPerforming our platform customer agreement, including processing that is on-behalf-of under our DPA.
Legal obligationAML/CFT, sanctions, tax, scheme rules, regulator reporting.
Legitimate interestsOperating a secure platform, preventing fraud, improving our products on aggregated data, direct communication with business contacts in a B2B context (balanced against your rights).
ConsentMarketing emails to personal (non-work) email addresses, non-essential cookies, optional product surveys.

Who we share with

We share personal data with the following categories of recipient, only where needed for a purpose above and under appropriate contracts.

  • Card schemes (Visa, Mastercard, JCB, UnionPay, American Express), to authorise, clear, and settle transactions.
  • Acquiring banks and partner PSPs (Stripe, Adyen, Airwallex, and our local acquiring subsidiaries), where routed through Tapped Onboard.
  • Regulators and tax authorities, where a specific legal request applies.
  • Professional advisers, lawyers, auditors, security assessors, under confidentiality.
  • Infrastructure vendors, cloud hosting (AWS, Google Cloud), monitoring, email delivery, customer support tooling. A current sub-processor list is in your dashboard under Settings → Compliance.

We do not sell personal data, and we do not allow our vendors to use it for their own purposes.

Cross-border transfers

Tapped is headquartered in Singapore and operates infrastructure in Singapore, Japan, and Hong Kong. Data may move between these regions for redundancy and for operating a 24×7 support rotation. Where data leaves a jurisdiction that restricts outbound transfers, we rely on:

  • EU Standard Contractual Clauses (2021) for transfers out of the EEA or the UK.
  • Singapore PDPC transfer limitation obligations through binding intra-group agreements.
  • ASEAN Model Contractual Clauses where applicable.
  • Specific adequacy or consent arrangements for other jurisdictions.

Enterprise customers can pin data residency to a single region at the workspace level.

How long we keep it

CategoryRetention
Transaction authorisation records10 years (PCI-DSS + AML)
Sub-merchant KYB filesContract + 7 years
Customer support tickets4 years
CRM & contract recordsContract + 7 years (tax)
Marketing contact (unsubscribed)Suppression-only, indefinite
Applicant data (unsuccessful)12 months, then deletion
Server logs (security)13 months
Website analytics26 months

Your rights

Depending on where you are, you may have the right to:

  • Access the personal data we hold about you and receive a copy in a portable format.
  • Correct data that is inaccurate or incomplete.
  • Request deletion, subject to our legal retention obligations.
  • Object to processing based on legitimate interests or withdraw consent at any time.
  • Request a restriction on processing while a dispute is being resolved.
  • Lodge a complaint with your supervisory authority.

Email hello@tapped.cc from the address the request relates to. We acknowledge within 72 hours and complete within 30 days (or 40 days for complex cases, where we’ll explain the extension).

Security

We protect personal data with the controls described on our Security page, PCI-DSS Level 1, SOC 2 Type II, ISO/IEC 27001, per-tenant encryption keys, audit logging of every access, and coordinated disclosure. If we experience a personal-data breach affecting you, we will notify you without undue delay and in any case within the timeframes required by applicable law.

Cookies & website

Our public website uses a small number of strictly-necessary cookies to keep the site functional (session, anti-forgery) and, with your consent, privacy-respecting analytics cookies (page views and referrer, aggregated). We do not set cookies for cross-site advertising. The consent banner is available at the bottom of every page; your choice is stored for 12 months and can be changed at any time.

Contact & complaints

Data Protection Officer, Sofia Arellano, Chief Risk Officer

Email, hello@tapped.cc

Post, DPO, Tapped Pte Ltd, 1 Raffles Place, Level 24, Singapore 048616

If you believe we have not handled your data appropriately, please tell us first so we can fix it. You also have the right to complain to your local privacy authority, for example, the Personal Data Protection Commission in Singapore, the National Privacy Commission in the Philippines, the Information Commissioner in the UK, or your EU Data Protection Authority.